Security

SPOTLIGHT ON SECURITY

ID Theft Gives Apple Another Security Black Eye

Once upon a time, security shiners involving Apple were as rare as Windows Vista lovers, but now it seems that a week doesn’t go by without the name of Steve Jobs’ baby being dragged through the digital mud.

Last week’s episode involved the hacktivist group AntiSec and the FBI. AntiSec claimed it compromised an FBI laptop and stole more than 12 million unique IDs for Apple devices from it. It then posted a million of them to the Internet to back up its claim.

FBI Denies Claim

Following AntiSec’s chest beating on the Web, the FBI discredited the hacktivists’ claims. “The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed,” it said in a statement. “At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

Apple supported the FBI’s version of things. “The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization,” an Apple spokesperson told AllThingsD.

She added that the use of UDIDs will be banned in the next version of Apple’s mobile operating system, iOS 6.0.

Regardless of where the UDIDs came from or if they’re authentic or not, it doesn’t appear as if they’ll be much value to Net bottom feeders. “With the file that was put on the Internet, there is very little damage that you can create,” Ori Eisen, founder the 41st Parameter, a fraud detection company, told TechNewsWorld.

If, as AntiSec claims, it’s withholding information that links the UDIDs to individuals, that’s a new ballgame, Eisen noted.

“Having access to the UDID itself doesn’t given them access to information on a phone,” Lee Cocking, vice president for corporate strategy for Fixmo, told TechNewsWorld.

He explained that some security concerns may be arising because of the ways UDIDs were used in the past. “Some services like Facebook and Twitter have used the UDID to identify a user,” he said. “If you passed a UDID in a connection string, it passed you through without any other credentials.” That practice has been abandoned in newer devices, he said.

While the UDIDs have been on the Net for more than a week, their veracity is still in doubt. “It’s he-said-she-said,” Rob Rachwald, director of security strategy at Imperva told TechNewsWorld. “Maybe only a handful of people on the planet know if it’s real.”

Cybercrime Costs Billions in 2011

Symnatec released its annual cybercrime report last week, estimating that nefarious digital deeds cost consumers around the world US$110 billion in direct financial losses — $20.7 billion of that in the United States.

Around 556 million adults around the world have had a first-hand experience with cybercrime, Symantec estimated. In the United States, it noted, 71 million people were victims of cybercrime in 2011.

Meanwhile, McAfee also released last week its threats report for the quarter ending in June. Mobile malware continues to be a burgeoning field for cyber miscreants, it noted. Its mobile malware database has increased 600 percent in less than a year. Midway through 2012, the company has 13,000 malware samples, compared to less than 2000 in all of 2011.

So far this year, McAfee reported, mobile bandits have shown their resourcefulness by fertilizing drive-by download sites for infecting Android phones, controlling mobile botnets through Twitter and reworking ransomware schemes for the mobile market.

SMS Phishing Jumps 913 percent

During the first week of September, SMS phishing attacks skyrocketed 913 percent, according to Mary Landesman, a senior security researcher with cyber security firm Cloudmark.

Landesman explained the phishing surge has been caused by a single set of attacks that began Sept. 4. So far, she’s identified more than 500 unique pitches used in the campaign.

Ploys deployed in the attacks, she noted, include Bank of America account suspensions, Macy’s credit card collections and requests from the U.S. Veteran’s Administration health services.

Victims of the scams risk bank account and identity theft, as well as credit card fraud, she observed. The information can also be used to inflict harm on others through “social engineering.”

Recipients of phishing mails can alert their carriers of the activity by forwarding the message to text short code 7726.

Breach Diary

  • Sept. 3: Three UK police websites breached and email addresses, account passwords of staff working on Safer Neighborhoods program posted on Web by hacker who claims to support WikiLeaks founder Julian Assange.
  • Sept. 3: Reports identify the Vatican as victim of Admin.HLP keylogger, which captures sensitive user information and attempts to export it to a remote location. The Vatican is neither denying nor confirming the breach.
  • Sept. 4: Hacker group known as AntiSec posts to the Internet more than one million alleged device IDs from Apple products. Group claims dump is portion of 12 million IDs stolen from FBI laptop. FBI denies IDs came from them. Apple denies it gave the IDs to the FBI.
  • Sept. 5: US Secret Serviceconfirms it is investigating extortion threat against presidential candidate Mitt Romney by cyber thieves who claim to have breached the Tennessee offices of accounting firm Price Waterhouse Cooper and copied all the candidate’s tax returns prior to 2010. The attackers have threatened to make the returns public on Sept. 28 unless they’re paid $1 million.
  • Sept. 6: Security risk intelligence company Rapid7releases analysis of government data breaches from 2009 to mid 2012. During the period, 268 incidents were reported exposing 94 million records containing personally identifiable information.
  • Sept. 6: Sony confirms that names and email addresses posted by a hacker group called NullCrew were stolen from servers managed by a third-party and serving Sony mobile customers in China and Taiwan. Number of people affected by the breach was not disclosed by Sony, by the group posted to the Internet 441 usernames and email addresses as proof of their breach claims.

Calendar

  • Sept. 12-14:UNITED (Using New Ideas to Empower Defenders) Security Summit. Grand Hyatt, San Francisco. Registration: US$1395.
  • Sept. 20: Attack Tools Workshop. 1 p.m. ET. Black Hat webcast. Free with registration.
  • Sept. 25: Security Awareness — Maybe It’s Not About the Users. 2 p.m. ET.RSA webcast. Free with registration.
  • Sept. 27 Foundational Cyberwarfare (Plan X) Proposer’s Day Workshop. 9 a.m.-4 p.m. ET. DARPA Conference Center, 675 N. Randolph Street, Arlington, Va. Closed to media and public. Unclassified session in the morning. U.S. DOD Secret clearance needed to attend afternoon session.
  • Oct. 1: Launch of “S&TI Flash Traffic,” a monthly summary of R&D activities for 14 high risk nation states — states with high levels of hacker activity or acts of cyber espionage — published by Taia Global. Annual subscription $250 until October 1, $500 thereafter.
  • Oct. 9-11: Crypto Commons. Hilton London Metropole, U.K. Discount registration (by Sept. 12): Pounds 900. Standard registration: Pounds 1,025.
  • Oct. 16-18: ACM Conference on Computer and Communications Security. Sheraton Raleigh Hotel, Raleigh, N.C.
  • Oct. 18:Suits and Spooks Conference: Offensive Tactics Against Critical Infrastructure. Larz Anderson Auto Museum, Brookline, Mass. Attendance Cap: 130. Registration: Early Bird, $295 (by Sept. 18); Standard, $395 (by Oct. 17).
  • Oct. 25-31:Hacker Halted Conference 2012. Miami, Fla. Sponsored by EC-Council. Registration: $2,799-$3,599.
  • Dec. 3-7: Annual Computer Security Applications Conference. Orlando, Fla. Registration starts in September.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Security

Technewsworld Channels